AI agents are increasingly vulnerable to social engineering attacks, similar to those targeting human users. Indirect prompt injection (IPI) is an example of these types of attacks that embed malicious instructions in web content retrieved by AI agents to influence their decision-making during task execution. The observed campaigns combine SEO poisoning with CSS/HTML abuse to both manipulate search results and conceal prompt-style instructions that influence AI decision making.
When AI agents misclassify malicious websites as legitimate, they increase the risk of context contamination and downstream Retrieval-Augmented Generation (RAG) poisoning. A North Korean threat group has been targeting financial institutions with a banking trojan. The attack flow is not fully understood. The malware uses JSON-LD to describe the site as a SoftwareApplication and embeds an offers object claiming a $3.00 developer API license key is required to resolve a MissingLicenseKeyException.[/subscribe_to_unlock_form]
AI agents are increasingly vulnerable to social engineering attacks, similar to those targeting human users. Indirect prompt injection (IPI) is an example of these types of attacks that embed malicious instructions in web content retrieved by AI agents to influence their decision-making during task execution. The observed campaigns combine SEO poisoning with CSS/HTML abuse to both manipulate search results and conceal prompt-style instructions that influence AI decision making.
When AI agents misclassify malicious websites as legitimate, they increase the risk of context contamination and downstream Retrieval-Augmented Generation (RAG) poisoning. A North Korean threat group has been targeting financial institutions with a banking trojan. The attack flow is not fully understood. The malware uses JSON-LD to describe the site as a SoftwareApplication and embeds an offers object claiming a $3.00 developer API license key is required to resolve a MissingLicenseKeyException.[emaillocker id="1283"]
It also provides a Stripe checkout link. The threat group's motivation, campaign scale, victim counts, regions, or active development are unknown. Defensive implications include monitoring for malicious websites that impersonate legitimate services and using IPI to manipulate AI-driven workflows. The risk of context contamination and downstream RAG poisoning is high.
| Tactic | Technique Id | Technique | Sub-technique |
|---|---|---|---|
| Initial access | T1195.002 | Supply Chain Compromise | Compromise Software Supply Chain |
| Defence Evasion | T1036.005 | Masquerading | Match Legitimate Resource Name or Location |
| Command and control | T1071.001 | Application Layer Protocol | Web Protocols |
The following reports contain further technical details:
[/emaillocker]